Upload
lenguyet
View
228
Download
4
Embed Size (px)
Citation preview
SAE INTERNATIONAL
June 2016
Lisa Boran Barbara J. Czerny
Ford Motor Company ZF TRW
SAE J3061 Committee Chair SAE J3061 Committee Member
David Ward, HORIBA MIRA
SAE J3061 Committee Member
OVERVIEW OF RECOMMENDED
PRACTICE - SAE J3061TM
CYBERSECURITY GUIDEBOOK FOR
CYBER-PHYSICAL VEHICLE SYSTEMS
SAE INTERNATIONAL
AGENDA
Copyright SAE International 2
SAE Standardization Activities
Motivation
Main Content of J3061TM
Current Status
Future Plans
SAE INTERNATIONAL
SAE Portfolio. Reaching over 145,000 individuals in over 110 Countries.
Body Headline Arial Bold 18pt
with single line spacing
Body Arial Regular 18pt with
single line spacing
• Bullet one using “Increase List
Level” button, Arial 18pt with
single line spacing
3
SAE INTERNATIONAL 4
SAE Standards Development
609 committees
8,865 members
2,898 companies
1,423 meetings
Committee meetings are open
to all interested parties, but
only committee members vote
on draft documents.
Individuals participate on
committees as technical
experts and not as
representatives of their
organizations
Copyrig
ht (c
) 2014 S
AE
Inte
rnatio
nal. A
ll rights
reserv
ed.
SAE INTERNATIONAL 5
SAE’S Ground Vehicle Map of Standards for Connected, Automated and Cooperative Intelligent Transportation Systems
For information on expanded AV/CV/ITS
Map of standards activities, contact [email protected]
SAE INTERNATIONAL
Copyright © SAE International. Further use or distribution is not permitted without permission from SAE
Why standards are needed: Safety Considerations
Original objectives
Develop a global harmonized approach
to determining ISO 26262 ASIL
classifications for vehicle level hazards
Develop global harmonized ASIL
classifications for vehicle level hazards
Develop global standard hazard metrics
for harmonized ASIL classified hazards
Now mostly concerned with
guidance on a consistent process
Found very quickly it was not possible
to agree on “global harmonized ASIL
classifications” 6 Copyright SAE International
J2980TM – Considerations for ISO
26262 ASIL hazard classification
ISO 26262 contains requirements but
a certain amount of “prior
knowledge” is assumed
Guidance (including NOTES,
EXAMPLES, most Annexes, and Part
10) are informative and are not
comprehensive
Example: Part 3 (concept phase)
SAE INTERNATIONAL
Copyright © SAE International. Further use or distribution is not permitted without permission from SAE
Why standards are needed: Security Considerations
The connected world poses threats
to:
• Product Safety and Performance
• Data Integrity and Access
• Privacy
• Interoperability
J3061™ Establishes needed
guidance and recommendations for
designing cybersecurity into the
system including product design,
validation, deployment and
communication tasks 7
Infographic by Ashleigh N. Faith
2015
Copyright SAE International
SAE INTERNATIONAL
Motivation for Creating SAE J3061TM
Copyright SAE International 8
Past Vehicle Design Emphasis was on Engine Design, Comfort and Chassis
− Vehicle was self contained
SAE INTERNATIONAL
Motivation for Creating SAE J3061TM
Copyright SAE International 9
Interconnectivity of today’s and future vehicles makes them potential targets for attack
SAE INTERNATIONAL Copyright SAE International 10
Cybersecurity was relatively new to automotive, and most existing
information did not address unique aspects of embedded controllers
Cybersecurity principles, process and terminology are needed that can be
commonly understood between OEMs, Tier 1 suppliers & key stakeholders
A defined and structured process helps ensure that cybersecurity is built into
the design throughout product development
• Based on ISO 26262 Functional Safety process framework
• No system can be guaranteed 100% secure
– Following a structured process helps reduce the likelihood of a successful
attack, thus reducing the likelihood of losses
– A structured process also provides a clear means to react to a continually
changing threat landscape
Motivation for Creating SAE J3061TM
SAE INTERNATIONAL
ISO 26262 Process Framework vs. Cybersecurity Process Framework
Copyright SAE International 11
ISO 26262
SAE J3061TM Source: J3061TM
Copyright SAE International
SAE INTERNATIONAL
1. Scope
Copyright SAE International 12
Describes the application and purpose of J3061TM and provides application
guidance.
Provides guidance on vehicle cybersecurity
• Intended to be flexible, pragmatic, and adaptable in its application to the vehicle industry as
well as to other cyber-physical vehicle systems
e.g., commercial and military vehicles, trucks, busses
Defines a complete lifecycle process framework
Provides information on existing tools and methods used when designing, verifying, and
validating cyber-physical vehicle systems
Provides high-level guiding principles on cybersecurity for CPVS
Provides the foundation for further standards development activities in vehicle cybersecurity
Provides guidance on when to apply a cybersecurity process
SAE INTERNATIONAL
3. Definitions
Copyright SAE International 13
Throughout the document, the initial use of a word contained in the
definition section is bold italics.
Key Definitions
Cyber-physical system – a system of collaborating computational elements
controlling physical entities
Cybersecurity – an attribute of a cyber-physical system that relates to avoiding
unreasonable risk due to an attack
Attack – exploitation of vulnerabilities to obtain unauthorized access to or control
of assets with the intent to cause harm
Threat – a circumstance or event with potential to cause harm
– NOTE: Harm may be related to financial, operational performance, safety, reputation,
privacy and/or sensitive data
SAE INTERNATIONAL
Key Definitions Vulnerability vs. Threat vs. Risk
Copyright SAE International 14
Threat
Vulnerability Risk = likelihood
of attack|success
Source: AutoImmune
SAE INTERNATIONAL
4. Relationship Between System Safety and System Cybersecurity
Copyright SAE International 15
Provides an overview of system safety and system cybersecurity and how the two
domains are related and different.
Scope of cybersecurity is broader
• All safety-critical systems are cybersecurity-critical systems, but not all
cybersecurity-critical systems are safety-critical
Describes the relationship between system safety engineering process elements
and system cybersecurity engineering process elements
Describes analogies between system safety and system cybersecurity
engineering (TARA - HARA, Attack Tree Analysis - Fault Tree Analysis)
Describes unique aspects of system safety and system cybersecurity
(Accident or Faults vs. Purposeful Malicious Attack)
SAE INTERNATIONAL
5. Guiding Principles on Cybersecurity for Cyber-Physical
Vehicle Systems
Copyright SAE International 16
Provides some general guiding principles with respect to cybersecurity that are
applicable to any organization.
Know your Feature’s Cybersecurity Potential
Understand key cybersecurity principles
Consider the vehicle owners’ use of the feature
Implement cybersecurity in concept and design phases
Implement cybersecurity in development and validation
Implement cybersecurity in incident response
Cybersecurity considerations when the vehicle owner changes
SAE INTERNATIONAL Copyright SAE International 17
As with system safety, cybersecurity must be built into the feature rather than added
on at the end of development. Building cybersecurity into the design requires an
appropriate lifecycle process from concept phase through production, operation,
service and decommissioning.
Motivation for a well-defined and well-structured process
Process Framework Overall management of cybersecurity
Concept Phase
Product Development
• Product Development: System Level
• Product Development: Hardware Level
• Product Development: Software Level
Production, Operation and Service
Supporting Processes
Milestone and Gate Reviews
6. CYBERSECURITY PROCESS OVERVIEW
SAE INTERNATIONAL Copyright SAE International 18
Concept Phase Flow Diagram
Feature Definition
Initiation of Cybersecurity
Lifecycle (Planning)
Threat Analysis and Risk
Assessment
Cybersecurity Concept
Identify Functional Cybersecurity
Requirements
Identify Highest Risk Potential
Threats
Identify Cybersecurity Goals
Initial Cybersecurity Assessment
Concept Phase Review
Source: J3061TM
Copyright SAE International
SAE INTERNATIONAL Copyright SAE International 19
Creating, fostering, and sustaining a cybersecurity culture that supports and
encourages effective achievement of cybersecurity within the organization.
Cybersecurity Culture
Measuring Conformance to a Cybersecurity Process
Identifying and Establishing Communication Channels
Developing and Implementing Training and Mentoring
Operation and Maintenance Activities
• Incident Response Process
• Field Monitoring Process
7. OVERALL MANAGEMENT OF CYBERSECURITY
SAE INTERNATIONAL Copyright SAE International 20
This section describes in detail the activities in each of the cybersecurity lifecycle phases
discussed in the cybersecurity process overview section (Section 6). For each lifecycle
phase, the activities are described and a description of a possible implementation of the
activities is provided.
Applying a Cybersecurity Process Separately with Integrated Communication Points to
a Safety Process
Applying a Cybersecurity Process in Conjunction with a Safety Process
Concept Phase
Product Development at the System Level
Product Development at the Hardware Level
Product Development at the Software Level
Production, Operation and Service
Supporting Processes
8. PROCESS IMPLEMENTATION
SAE INTERNATIONAL
Potential Communications Paths During the Concept Phase Activities
Copyright SAE International 21
Source: J3061TM
Copyright SAE
International
SAE INTERNATIONAL
Cybersecurity V Model Relationship Between System, Hardware and Software Development Activities
Copyright SAE International 22
Source: draft document J3061TM
Copyright SAE International
SAE INTERNATIONAL Copyright SAE International 23
This sections provides a description of different analysis methods. This helps guide the
reader to determine which method may better suit their needs and also provides a start on
how to apply a particular one.
Overview of Threat Analysis, Risk Assessment, & Vulnerability Analysis Methods
• EVITA Method (E-safety Vehicle InTrusion protected Applications)
• EVITA Applied at the Feature Level using THROP (Threat and Operability Analysis)
• TVRA (Threats, Vulnerabilities and Risks (TVR) of a system to be Analyzed)
• OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)
• HEAVENS (HEAling Vulnerabilities to ENhance Software Security and Safety)
• Attack Trees
• Software Vulnerability Analysis
Overview of Cybersecurity Testing Methods
• Types of Penetration Testing
• Red Teaming
• Fuzz Testing
APPENDIX A: DESCRIPTION OF CYBERSECURITY ANALYSIS TECHNIQUES
SAE INTERNATIONAL Copyright SAE International 24
EVITA Application using THROP
OCTAVE
Attack Tree Analysis
HEAVENS
APPENDIX B: EXAMPLE TEMPLATES FOR WORK PRODUCTS
APPENDIX C: EXAMPLES USING IDENTIFIED ANALYSES
OCTAVE Worksheets
• OCTAVE Allegro, Information Asset Risk Worksheet
• OCTAVE Allegro, Risk Mitigation Worksheet
SAE INTERNATIONAL Copyright SAE International 25
This appendix lists a sample set of 14 security control families and 5 privacy control
families and a few controls within each family that might be applicable for automotive
system security. The scope of coverage includes design, manufacturing, customer
operation, maintenance, and disposal.
APPENDIX D: SECURITY & PRIVACY CONTROLS
DESCRIPTION AND APPLICATION
APPENDIX E: VULNERABILITY DATABASES AND
VULNERABILITY CLASSIFICATION SCHEMES
This appendix provides examples of dictionary and terminology sources for vulnerability
databases (e.g. Common Weakness Enumeration, CWE) , vulnerability databases (e.g.
BugTraq), and vulnerability classification schemes (e.g. Common Weakness Scoring
System, CWSS).
SAE INTERNATIONAL Copyright SAE International 26
Appendix F discusses aspects of vehicle-level Cybersecurity.
Architecture design considerations and partitioning using the NIST approach
Identify Protect Detect Respond Recover
After vehicle sale considerations (defaults, erasing, etc.)
End of life considerations
Communication reporting expectations from the supplier
APPENDIX F: VEHICLE LEVEL CONSIDERATIONS
APPENDIX G: CURRENT SECURITY STANDARDS &
GUIDELINES THAT MAY BE USEFUL TO AUTOMOTIVE INDUSTRY Appendix G lists Standards and Guidelines from a variety of sources (e.g. NIST, FIPS,
DHS, DARPA) that may be useful for members of the Vehicle Industry in understanding
the overall Security realm, and in determining the details of implementing Cybersecurity
into their organizations.
SAE INTERNATIONAL Copyright SAE International 27
Appendix I lists some security test tool categories, and descriptions, for testing tools
that may be of potential use to the vehicle industry for Cybersecurity.
○ Static Code Analyzer ○ Encryption Cracker
○ Dynamic Code Analyzer ○ Hardware Debugger
○ Network Traffic Analyzer ○ Known Answer Tester
○ Vulnerability Scanner ○ Application Tester
○ Fuzz Tester ○ Interface Scanner
○ Exploit Tester ○ Network Stress Tester
APPENDIX H: VEHICLE PROJECT AWARENESS
APPENDIX I: SECURITY TEST TOOLS OF POTENTIAL USE TO THE
VEHICLE INDUSTRY
Appendix H summarizes the key research projects on Vehicle Cybersecurity beginning
with 2004 and up through the present . Examples are EVITA, SESAMO, HEAVENS.
SAE INTERNATIONAL Copyright SAE International 28
Current Status of J3061TM Surface Vehicle Recommended Practice
Three formal internal committee ballots performed
(86% approval or higher received)
Completed the 28-day Motor Vehicle Counsel Ballot
(80% participation with 70% approve and 10% waive)
Released January 15, 2016
“SAE J3061™: Cybersecurity Guidebook for Cyber-Physical Vehicle
Systems” is available for sale at http://standards.sae.org/j3061_201601/
and an on-demand webinar reviewing SAE J3061™ is also available
https://event.webcasts.com/starthere.jsp?ei=1080592
SAE INTERNATIONAL Copyright SAE International 29
Special Thanks!
Additional Authors of J3061TM
Brian Anderson, SwRI
Angela Barber, GM
Kevin Harnett, DOT
Mafijul Islam, Volvo
Justin Mendenhall, Ford
Steve Siko, FCA
Priyamvadha Vembar, Bosch
David Ward, MIRA
Tim Weisenberger, DOT
In addition there were a number
of other people that contributed
to the development of the
document and we would like to
thank those people as well!
SAE INTERNATIONAL
AGENDA
Copyright SAE International 30
Motivation
Main Content of J3061TM
Current Status
Future Plans
SAE INTERNATIONAL
*Formerly Automotive
Security Guidelines and Risk
Management Task Group
(J3061 Recommended
Practice)
31
SAE Motor Vehicle Council/Electrical
Systems
TEVEES18
Vehicle Electrical System Security (VESS)
TEVEES18B – Electrical Hardware Security
(J3101 Recommended Practice)
TEVEES18A
Vehicle Cybersecurity Systems Engineering*
TEVEES18A1 – Cybersecurity
Assurance Testing Task Force
TEVEES18A2 – Automotive
Cybersecurity Integrity Level Task Force
SAE Vehicle Cybersecurity Subcommittees
Copyright SAE International. Further distribution is not permitted without permission from SAE International
SAE INTERNATIONAL
J3061 Future Plans
32
Objective: New SAE Committee (Vehicle Cybersecurity Systems Engineering) has the following Scope:
“To update the current J3061 recommended practice document to move J3061 closer to becoming a standard to
allow cybersecurity robustness to be designed and built into cyber-physical vehicle systems”
Work in Progress (WIP) to revise J3061 under new committee opened in February 2016
Areas to be Developed and Refined to Achieve Objective:
• Develop Common Threat Analysis and Risk Assessment Method and Corresponding Automotive Cybersecurity Integrity
Level (ACSIL) Classification Scheme
• Identify Specific Details for each Lifecycle Phase in the Cybersecurity Process Framework
• Associate specific process application details with each ACSIL
• Determine Cybersecurity Countermeasure Recommendations for each ACSIL
• Develop Cybersecurity Assurance Testing Recommendations
Copyright SAE International. Further use or distribution is not permitted without permission from SAE
SAE INTERNATIONAL
J3061 Future Plans (Cont’d)
33
TEVEES18A1 – Cybersecurity Assurance Testing Task Force
• Develop appropriate SAE documentation for cybersecurity assurance testing and evaluation
• The task force shall become more familiar with what types of testing and evaluations are effective in measuring claims of cybersecurity development practices and mechanisms
• The task force shall work towards creating a consistent framework where all systems and components throughout the extended supply chain are evaluated with a common set of criteria
• The goal is to produce a common means of evaluation criteria wherein Stakeholders can sign off on the hardware and software configuration received with confidence that the expected level of cybersecurity evaluation criteria has been met.
• The task force shall leverage existing work that has been previously accomplished by security experts and testing organizations
Copyright SAE International. Further use or distribution is not permitted without permission from SAE International
SAE INTERNATIONAL
J3061 Future Plans (Cont’d)
34
Automotive Cybersecurity Integrity Level (ACSIL) Classification Task Force Objectives
• Review existing classification schemes from other industries and existing ideas that were presented at SAE or that may be being proposed or used in other organizations
• Determine to use either an existing classification scheme or create a new classification scheme specific for the automotive industry from the existing or proposed methods or ideas
• A new classification scheme would most likely be an integration or merging of existing or proposed methods
• Determine a Threat analysis and Risk Assessment (TARA) method that would work with the classification scheme or from which we could map into a specific level in the cybersecurity integrity level classification scheme
• This will require reviewing existing TARA methods and deciding on an existing method, or a tailored version of existing methods
• Determine how to relate the ACSIL for safety-related threats to the ASIL from ISO 26262
Copyright SAE International. Further distribution is not permitted without permission from SAE International
SAE INTERNATIONAL
J3061 Future Plans – Standards Development Issues
35
• ISO/TC 22/SC 32 (Electrical and Electronic Components and General System Aspects)
• Germany, supported by the Verband der AutomobileIndustrie (VDA) members, are interested to develop an “international” standard for automotive security – “Road Vehicle - Automotive Security Engineering”
• SAE/US proposed to develop a joint SAE/ISO “international” standard for automotive cybersecurity – “Road Vehicles – Vehicle Cybersecurity Engineering”
• Propose using J3061 as the foundation and follow the SAE standards development process
• The SAE international standards development process is quicker than the ISO standards development process
• Would allow a joint SAE/ISO international cybersecurity standard to be developed more quickly
• J3061 was developed to be used as a foundation for a standard development
• Extensive discussion and agreement between SAE, ISO,VDA on this proposal since July of 2015
• Each organizations’ ballot process will be followed.
• Follows existing Pilot program proposal for Joint Standards Development between ISO and SAE (already underway)
• SAE/ISO Negotiation still in progress
• Both SAE and ISO issued their own New Work Item Proposal (NWIPs)
• No conclusion if a joint effort will be agreed to
• SAE/ISO Meeting in Berlin (June 2016)
SAE INTERNATIONAL
New webinar: “Keys to Creating a Cybersecurity Process from the J3061
Process Framework”
36
Session 1
Brief History of Automotive Security and
Cybersecurity
Cyber-Physical Systems
Reactive vs. Proactive Approach to Cybersecurity
What is a Process?
Key Concepts in Cybersecurity Defined
Introduction to J3061
When to Apply a Cybersecurity Process
Cybersecurity Process Overview
Session 2 Cybersecurity Process Details
Overall management of cybersecurity
Concept phase
Product development at the system, hardware and
software levels
Session 3 Production, Operation and Service
Supporting Processes
Relationship between Cybersecurity Process and
Safety Process
Review of Appendices A, C-E, G-I
Tailoring the J3061 Process Framework into an
Internal Process
Examples of Key Analysis Activities
Summary
http://training.sae.org/webseminars/wb1604/
SAE INTERNATIONAL Copyright SAE International 37
Thank You!
If interested in participating in any of the 4 SAE Cybersecurity Committees:
TEVEES18 – Vehicle Electrical System Security
TEVEES18A – Automotive Security Guidelines and Risk Management
(J3061 Recommended Practice)
- Reopened as full Committee - ‘Vehicle Cybersecurity
Systems Engineering’
TEVEES18A1 – Cybersecurity Assurance Testing Task Force
TEVEES18A2 – Automotive Cybersecurity Integrity Level (ACsIL) Task Force
TEVEES18B – Electrical Hardware Security
(J3101 Recommended Practice) Contact:
Lorie Featherstone <[email protected]>